I have several Juniper EX3400 switches set up as sources in Nagios Network Analyzer. Most of them report just fine. I have 2 for some reason that are not showing any data. All of them are set up to receive incoming sFlow data across a unique port (between udp2050 & 2070 in my case). The configurations across my devices are the same except the collector port.. see below
Juniper Switch config
[edit protocols]
sflow {
polling-interval 20;
sample-rate egress 512;
collector 192.168.5.10 {
udp-port 2055;
}
interface ge-0/0/0.0
interface ge-0/0/1.0
interface ge-0/0/2.0
}
Nagios NA config
Source-Name: east-wan-sw1
Listening-Port: 2055
Incoming Flow Type: sFlow
Raw Data Lifetime: 24 Hrs
On the firewall that sits in front of my Nagios NA server, I can see the flows of traffic coming from the switch going to the NA server using port 2055, but within NA the source shows no data received. I've tried to delete and re-create the source within NA and see the same results. I have many other switches configured the same way (using a different port obliviously) and they are all working as expect. I ran tcpdump on the NA server interface and I'm seeing traffic coming in from my source, but nothing is showing on the web interface. Any ideas?
Juniper EX switches sending data, NA not receiving
Re: Juniper EX switches sending data, NA not receiving
Hi @sawdusty, thanks for reaching out.
Nothing immediately stands out to me, but here are some other ideas:
This thread discusses a similar issue, and it seems like maybe some sources just need to be restarted. You mentioned deleting and re-creating the sources, but did you attempt "just" restarting them?
You mentioned that you're seeing data come in via tcpdump and get past the firewall, so the next thing I'd check is whether the data is actually getting into / out of nfcapd. I'd start by running something like
on your terminal, and verifying that the process is actually listening on the desired port. If it is running, I'd turn the source off and try to listen to the same port via netcat or socat. If you do receive data when manually listening on the port, you could try running nfcapd in the foreground to see if you get any useful output from the receiving program. I haven't tried this last one myself, so I'm unsure if it would do anything useful for you.
Let me know if any of that helps, or feel free to follow up with any additional questions or concerns.
-Sebastian Wolf
Nothing immediately stands out to me, but here are some other ideas:
This thread discusses a similar issue, and it seems like maybe some sources just need to be restarted. You mentioned deleting and re-creating the sources, but did you attempt "just" restarting them?
You mentioned that you're seeing data come in via tcpdump and get past the firewall, so the next thing I'd check is whether the data is actually getting into / out of nfcapd. I'd start by running something like
Code: Select all
ps -ef | grep nfcapd
Let me know if any of that helps, or feel free to follow up with any additional questions or concerns.
-Sebastian Wolf
Developer @ Nagios 2017-05-15 thru 2024-08-06
Re: Juniper EX switches sending data, NA not receiving
I ran the following command and was able to see the procress running. I manually restarted the process via the web interface and cli and neither seems to have made a difference.
Code: Select all
ps -ef | grep sfcapd
Re: Juniper EX switches sending data, NA not receiving
You're right, you'd be using sfcapd. I think the next step if you're troubleshooting is to run sfcapd manually, but replace -D with -E, both with a working and non-working source to see if there's a difference in the data you're receiving. You could also check the paths in that command - does the path ending in flows exist? Do the permissions allow the nna user to access it? That sort of thing. The last bit I'll mention is that ps output is a little different from what you'll have to run to get the process working. If you have a line like this:
You'll need to wrap the reap_files command in quotes, like so:
Code: Select all
/usr/local/bin/sfcapd -I 1 -l /usr/local/nagiosna/var/source1/flows -p 1234 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/source1/1234.pid -D -e -w -z -T all
Code: Select all
/usr/local/bin/sfcapd -I 1 -l /usr/local/nagiosna/var/source1/flows -p 1234 -x '/usr/local/nagiosna/bin/reap_files.py %d %f %i' -P /usr/local/nagiosna/var/source1/1234.pid -D -e -w -z -T all
Developer @ Nagios 2017-05-15 thru 2024-08-06
Re: Juniper EX switches sending data, NA not receiving
I have files that exist in the flows folder. Some files appear to be very small, others seem to have some actual data. As compared to sources that are working as expected, the file sizes pale in comparison. When I run the command "/usr/local/bin/sfcapd -I 1 -l /usr/local/nagiosna/var/source1/flows -p 1234" I don't see any traffic (process must be stopped to run this command). When I run the "/usr/local/bin/sfcapd -I 1 -l /usr/local/nagiosna/var/source1/flows -p 1234 -x '/usr/local/nagiosna/bin/reap_files.py %d %f %i' -P /usr/local/nagiosna/var/source1/1234.pid -D -e -w -z -T all" command I see traffic.
Re: Juniper EX switches sending data, NA not receiving
IMO, that confirms it's a permissions issue - I would delete the source in NNA, ensure that the directory is deleted for that source, and then create a new one with the same settings. If you continue to have problems after that, I would probably create a case on Answer Hub so that you can get more in-depth support with a better response time.
Developer @ Nagios 2017-05-15 thru 2024-08-06
Re: Juniper EX switches sending data, NA not receiving
I deleted the files/folder associated with the source and re-added the source. This seems to have resolved it. Thanks for all the info.